Recently, I've been thinking more about the compliance shift that's undergoing at this moment. Part of the recent evolution of security is the compliance landscape. If we take the foundation of this evolution and apply it to compliance we get a very interesting shift. One that is more and more disruptive as I think about it. This compliance shift will not only effect practitioners to the core of how they manage third parties but dramatically change the compliance and regulatory landscape moving forward. There are two key areas of this conversation I'll talk about. The first is the "point in time" model of compliance today. The second is expected result of the audit itself.

We have managed compliance for the past 30 years in IT as a point in time type of event. Auditors come in at a particular time of the year and perform their assessments for that period of time. Perhaps there is a testing of the process controls over a span of time, however, it's still a point in time assessment. What's starting to happen is the introduction of continuous assessments. Where it's not just a point in time but the continuous testing over the lifespan of the organization. With new services, such as SkyHigh, we are seeing the ongoing monitoring and assessment of a particular service. This includes, among other things, compromises of that service.

This is resonating very well to me and others as practitioners are being forced to deal with vendors in an continuous basis. Most notably, the impact of a compromise can resonate quite significantly in impact. This will occur at any time and not necessarily be identified via an audit. With more of a continuous service assessment we are seeing the value to the practitioner much higher than historical audits have done. Since my challenges are really ensuring my security of content and transactions in that service I need to integrate all of it into my ongoing risk management process. To do that I need a continuous monitoring to ensure any change is identified quickly and managed to resolution appropriately. Historical audits are not suited to do this and has hindered our comfort of cloud services for some time.

This change in how audits are being done are clearly going to change our view of vendors and our own risk management process. This will most notably impact the "optional" assessments and certifications we receive (ISO 27002, SSAE16, etc) where they are really to provide clarity to customers on our own performance. With a continuous model, that clarity becomes more timely and actionable. This will have two effects. The first is the disruption of that entire certification / audit performance industry. The KPMG / PwC's of the world will have a drawdown of that business. Second, new assessment ratings will arise. This can be seen as SkyHigh's assessments and ratings gain more traction and relevancy it's this A-F rating system that will become a new standard in industry. With this, it also changes our concepts of what the value of the audit is.

This brings me to the second main point. That is one of a process testing vs. results oriented audits. Almost all audits test the processes of an organization to comply with best practices. What these new continuous assessments are really driving is more of a results oriented model. It's not how the application was developed but that it's vulnerability free. It's not how the changes are performed but that it hasn't been compromised. Clear deffinition of what the expected outcome is of a vendor will drive clear assessment criteria. With this a continuous assessment model can be applied.

It will be interesting to see what level of disruption this new model will have but I can already see the adoption of many security organizations. The metamorphasis of their own risk management and threat response programs to these new data feeds has been remarkable. With the stronger industry adoption I can see it becoming more and more of a cultural shift in how we place our expectations onto cloud providers and monitor the management to them. Thus dramatically changing the entire audit industry.

Somaini's Cyber Security Blog

Justin Somaini's personal views of Cyber Security policy, practices, threats and defenses. Justin is an active member of the industry and is passionate about how we can work and play in an increasingly digital world safely.